Why law firms should invest in a cyber incident response simulation

An incident response simulation is a structured exercise that walks key decision-makers through a realistic cyber scenario, usually led by an independent facilitator with experience of cyber-attacks. The objective is to test readiness, expose weaknesses, clarify responsibilities and identify gaps in response processes to help the organisation understand the likely operational impact of an incident before it happens.

Best practice

A cyber-incident response plan gives a business its best chance of containing disruption, making sound decisions under pressure and recovering quickly from an attack. Without a tested plan, organisations are forced to make critical decisions in real time, often when systems are unavailable, information is incomplete and the commercial, legal and reputational stakes are high.

That’s why incident response plans must be tested in real-time and not simply written down. Simulation exercises help organisations identify gaps before a real attack does, including discovering that backups will not restore properly, clarifying who owns staff and client communications, or confirming what external advisers and service providers will actually do in a crisis. They turn a document into something operational.

Compliance requirements

There are also clear compliance drivers. Data protection obligations under the UK General Data Protection Regulation mean organisations must test, assess and evaluate the effectiveness of their technical and organisational measures. The Information Commissioner’s Office (ICO) has made it clear that this includes testing incident response arrangements and retaining evidence of that testing.

For regulated firms, the Solicitors Regulation Authority (SRA) similarly requires compliance with law and regulation (paragraph 2.1(a) of the SRA Code of Conduct for Firms).

The government’s open letter to business leaders, dated 15 April 2026, states that business leaders should plan and rehearse how their organisation would respond to a significant incident and reminds leaders that this is a board-level matter, not an issue to be delegated to the IT team.

The Cyber Governance Code of Practice calls for board executives and non-executives to gain assurance that there is at least yearly testing involving key stakeholders, with lessons learned fed back into the plan and risk assessments.

Bear in mind that in the event of a breach, the ICO will take all such guidance into account when determining the fine.

Key business benefits

There can also be a financial benefit. Some professional indemnity insurers are taking a closer look at whether organisations run regular cyber simulations when assessing risk and setting premiums.

In addition, a simulation will:

• reduce disruption by rehearsing the response before a live incident
• find weaknesses in systems, processes, communications and third-party dependencies while there is still time to fix them
• improve decision-making by giving senior leaders practice in handling uncertainty, time pressure and competing priorities
• clarify roles, escalation routes and reporting obligations across the organisation, and
• support regulatory, governance and insurance expectations with evidence that the plan has been tested.

Lessons from the field

From our experience advising firms, what separates a confident response from a chaotic one is not just whether a firm has a plan, but if the right people understand it and know their role in it.

The gap between having a plan and being able to execute it is where many organisations struggle during a live incident. There may be uncertainty over who to contact, who owns key decisions or when reporting obligations to the regulators or clients are triggered. Firms that practise their response tend to communicate better under pressure, think more clearly and coordinate more effectively across teams.

Communications planning is one of the most underdeveloped areas we see when organisations run their first incident response simulation. Planning often focuses, understandably, on technical containment and recovery, but decisions about who speaks to staff, clients, regulators and the media are just as important to how an incident is managed and perceived internally and externally.

Firms also often discover that their assumptions about third-party providers are wrong, whether that means unclear responsibilities, slow response times or less support than they believed would be available during a crisis.

Many organisations have no recent evidence that their restoration processes will work at the speed and scale a real incident demands. A backup that has never been tested isn’t reliable; it’s just an assumption. In practice, many backups are not configured correctly and may fail to restore systems quickly, or at all, in an emergency. If backups are not properly separated from the live environment, ransomware may encrypt them too. This is often one of the most significant risks to recovery, with direct consequences for downtime, revenue and reputation.

Cyber incident simulations build organisational muscle memory. When an incident occurs, teams are not starting from zero. They are responding to a situation they have already worked through.